Help Center/ Cloud Firewall/ User Guide/ Access Control/ Access Control Policy Overview

Updated on 2025-07-23 GMT+08:00

View PDF

Access Control Policy Overview

CFW allows all traffic by default. If no access control policies are configured, all the communication between internal servers and the Internet will be allowed. Unauthorized access or the lateral threat movement will go unchecked. You can configure access control policies in CFW to allow or block specific traffic and implement multi-dimensional protection.

Access Control Policy Types

Access control policies include protection rules, the blacklist, and the whitelist. Table 1 describes their differences. If traffic hits a policy, the action specified in the policy will be performed.

**Table 1** Differences between protection rules and blacklist/whitelist
Type	Protected Object	Network Type	Action	Configuration Method
Protection rules	5-tuples IP address groups Geographical locations Domain names and domain name groups	EIP Private IP address	If Block is selected, traffic will be blocked. If Allow is selected, traffic will be allowed by protection rules and then checked by IPS.	Configuring Protection Rules to Block or Allow Internet Border Traffic
Blacklist	5-tuples IP address groups		Traffic is blocked directly.	Adding Blacklist or Whitelist Items to Block or Allow Traffic
Whitelist	5-tuples IP address groups		Traffic is allowed by CFW and not checked by other functions.

Priority of Access Control Policies

The priorities of CFW access control policies in descending order are as follows: Whitelist > Blacklist > Protection policy (ACL).

Figure 1 Protection priority

For details about the protection sequence of all CFW policies, see What Are the Priorities of the Protection Settings in CFW?

Specification Limitations

To enable VPC border protection and NAT protection, use the CFW professional edition and enable the VPC border firewall.

Precautions for Configuring a Blocking Policy

The precautions for configuring a protection rule or a blacklist item for blocking IP addresses are as follows:

You are advised to preferentially configure specific IP addresses (for example, 192.168.10.5) to reduce network segment configurations and avoid improper blocking.
Exercise caution when configuring protection rules to block reverse proxy IP addresses, such as the WAF back-to-source IP addresses. You are advised to configure protection rules or whitelist to permit reverse proxy IP addresses.
Blocking forward proxy IP addresses (such as company egress IP addresses) can have a large impact. Exercise caution when configuring protection rules to block forward proxy IP addresses.
When configuring region protection, take possible EIP changes into consideration.

Elements in a Protection Rule

Protection rules can identify and match different traffic elements to allow or block related traffic.

Element	Description	Configuration Type	Configuration Supported By Different Rules
Source	The party that initiates a connection.	IP address: Access control is performed on the traffic from a specific IP address. IP address group: Access control is performed on the traffic from a series of IP addresses. Region: Access control is performed on the traffic from the IP addresses in a specific region. Any: any source address	Internet border: Inbound: IP address, IP address group, region, and Any Outbound: IP address, IP address group, and Any NAT gateway: Inbound: IP address, IP address group, region, and Any Outbound: IP address, IP address group, and Any VPC border rule: IP address, IP address group, and Any
Destination	The party that receives a connection.	IP address: Access control is performed on the traffic sent to a specific IP address. IP address group: Access control is performed on the traffic sent to a series of IP addresses. Region: Access control is performed on the traffic sent to the IP addresses in a specific region. Domain name or domain name group: Access control is performed on the traffic sent to specific domain name addresses. To set the destination to a domain name or domain name group in a protection rule, choose from the following domain name types: Application: HTTP, HTTPS, TLS, SMTPS, or POPS. CFW preferentially controls the access to domain names based on the Host or SNI field. Network: CFW performs DNS resolution to obtain the IP address of a domain name and controls access to the IP address. Any: any destination address	Internet border: Inbound: IP address, IP address group, and Any Outbound: IP address, IP address group, region, domain name, domain name group, and Any NAT gateway: Inbound: IP address, IP address group, and Any Outbound: IP address, IP address group, region, domain name, domain name group, and Any VPC border rule: IP address, IP address group, domain name, domain name group, and Any
Service	Traffic protocol type or port number	Service and service group: A service or a set of services. You can specify the protocol type, source port, and destination port to identify a service.	The ICMP protocol does not support port configuration.
		Service: Set Protocol Type, Source Port, and Destination Port. Protocol: Transport layer protocol. It can be TCP, UDP, or ICMP. Source port: Access is controlled based on traffic source ports. Destination port: Access is controlled based on traffic destination ports.
		Service Group. A set of services.
		Any: Select Any if you are not sure about the protocol type.
Application	Application layer protocol	The application layer protocol can be HTTP, HTTPS, SMTP, SMTPS, SSL, or POP3. If you are not sure about the protocol type, select Any.	It varies according to the selected protocol type.

Example configuration:

Parameter	Input	Description
Source/Destination	0.0.0.0/0	All IP addresses
Domain name	www.example.com	Domain name www.example.com
Domain name	*.example.com	All domain names ending with example.com, for example, test.example.com
Service - Source port or destination port	1-65535	All ports
	80-443	All ports in the range 80 to 443
	80 443	Ports 80 and 443

References

For details about how to add a protection rule to protect traffic, see Configuring Protection Rules to Block or Allow Internet Border Traffic.
For details about how to add a blacklist or whitelist item to protect traffic, see Adding Blacklist or Whitelist Items to Block or Allow Traffic.
For details about how to add protection policies in batches, see Importing and Exporting Protection Policies.
Follow-up operations after adding a policy:
- Policy hits: For details about the protection overview, see Viewing Protection Information Using the Policy Assistant. For details about logs, see Access Control Logs.
- For details about the traffic trend and statistics, see Traffic Analysis. For details about traffic records, see Traffic Logs.
If your traffic is incorrectly blocked by a protection policy, troubleshoot the problem by referring to What Do I Do If Service Traffic is Abnormal?